51180 sc medium function is vulnerable to gas griefing

Submitted on Jul 31st 2025 at 19:05:05 UTC by @PotEater for Attackathon | Plume Network

• Report ID: #51180

• Report Type: Smart Contract

• Report severity: Medium

• Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/spin/Spin.sol

• Impacts:

  • Theft of gas

Description

Brief / Intro

In the Spin.sol contract, the function handleRandomness contains a gas griefing attack vector due to an arbitrary external call (via a low-level call) that can trigger a malicious recipient's fallback/receive logic.

Vulnerability Details

handleRandomness is intended to be called by the supra router to provide the random number and determine the reward. However, when certain reward categories are chosen the contract calls _safeTransferPlume(user, rewardAmount * 1 ether); which ultimately performs a low-level call to the user's address. Because this calls an arbitrary address, the recipient can execute arbitrary code in their receive/fallback function.

Code snippet:

        if (
            keccak256(bytes(rewardCategory)) == keccak256("Jackpot")
                || keccak256(bytes(rewardCategory)) == keccak256("Plume Token")
        ) {
            _safeTransferPlume(user, rewardAmount * 1 ether);
        }

A malicious recipient can include gas-heavy computations in their fallback/receive to cause excessive gas consumption when the supra router triggers handleRandomness, resulting in the supra router paying for that gas — effectively a theft of gas.

Impact Details

The supra router (the caller) must pay for any gas consumed during the external call. A malicious recipient can deliberately consume large amounts of gas in their fallback/receive, causing direct loss of funds for the supra router. This is a classic gas-griefing scenario.

References

https://github.com/immunefi-team/attackathon-plume-network/blob/580cc6d61b08a728bd98f11b9a2140b84f41c802/plume/src/spin/Spin.sol#L261

Proof of Concept